Avatar of Paul Walsh
Paul Walsh
 asked on

Account Lockout - Find App/Process on account

Hi All,

I have an account that is constantly being locked within AD after a password change. On our secondary DC Iooking at the event logs it tells me the first DC is the computer that is causing the lockout. I have looked everywhere on this first DC for where this account is used, but cannot find it. On the first DC within about 30 seconds of unlocking this account I can see an event that states that the particular credentials have been explicitly used. Any idea how I can what app/process is using this account.

I have tried resetting the password back to what it used to be, however the account still gets locked out.

Thanks for your help.

Cheers,
Paul
* AccountLockoutActive Directory

Avatar of undefined
Last Comment
Zaheer Iqbal

8/22/2022 - Mon
SOLUTION
Zaheer Iqbal

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Paul Walsh

ASKER
Hi,

Thanks for this, I have followed the steps provided. On the DC in question with the account in question I can only see event fith failure code 0x12 and not the 0x18 stated in the guide?

Cheers,
Paul
Paul Walsh

ASKER
Hi,

What is strange is that it states the secondary domain controller is locked. There is no log of this domain controller locking my account. What I can find on my first domain controller is an event ID 4648 that states that the administrator account tried to log onto the second domain controller using this accounts credentials.

Any help would be more than grateful.

Cheers,
Paul
Zaheer Iqbal

Is a account used for a user / support user or is it a service account ?
Do you have any tasks running against that account or any services running as that account ?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Paul Walsh

ASKER
Hi,

That's the strange thing, the account in question isn't a service account. I have checked under services and scheduled tasks and it isn't listed there either.
Paul Walsh

ASKER
What I can see periodically on the first controller is an event id 4648, with the account in question. Looks like the administrator is trying to log on using the problem account. In the process Id I get 0x4?

Cheers,
Paul
ASKER CERTIFIED SOLUTION
Shabarinath TR

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Paul Walsh

ASKER
Hi,

Ok finally cracked it. For some reason it wasn't logging that account lock out on the target controller. It did however log event 4625 which listed the first DC. I checked the logs on the corresponding DC and the time stamps matched the 4648 error, confirming the first DC as the culprit. Account wasn't assigned to any services or scheduled task. Came across this: https://www.morgantechspace.com/2013/07/how-to-clear-windows-cached-credentials.html

and low and behold the problem account had a cached credential. Removed the defunct entry, ensured everything was still running as expected, and hey presto, strange problem fixed.

Thanks for all your help, I will split the points.

Paul
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Zaheer Iqbal

Ah ok yes I remember this. Apologies maybe I miss-read your question I didnt state that you were logging in as the account and then after a while it was getting locked out.

Thanks for the points.